{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}} {{- if .Values.ingress.enabled -}} {{- if (not (eq .Values.proxyListenerMode "multiplex")) -}} {{- fail "Use of an ingress requires TLS multiplexing to be enabled, so you must also set proxyListenerMode=multiplex - see https://goteleport.com/docs/architecture/tls-routing/" -}} {{- end -}} {{- $publicAddr := coalesce .Values.publicAddr (list .Values.clusterName) -}} {{- /* Trim ports from all public addresses if present */ -}} {{- range $publicAddr -}} {{- $address := . -}} {{- if (contains ":" $address) -}} {{- $split := split ":" $address -}} {{- $address = $split._0 -}} {{- $publicAddr = append (mustWithout $publicAddr .) $address -}} {{- end -}} {{- $wildcard := printf "*.%s" $address -}} {{- /* Add wildcard versions of all public addresses to ingress, unless 1) suppressed or 2) wildcard version already exists */ -}} {{- if and (not $.Values.ingress.suppressAutomaticWildcards) (not (hasPrefix "*." $address)) (not (has $wildcard $publicAddr)) -}} {{- $publicAddr = append $publicAddr (printf "*.%s" $address) -}} {{- end -}} {{- end -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: {{ .Release.Name }}-proxy namespace: {{ .Release.Namespace }} labels: {{- include "teleport-cluster.proxy.labels" . | nindent 4 }} {{- if $proxy.annotations.ingress }} annotations: {{- toYaml $proxy.annotations.ingress | nindent 4 }} {{- end }} spec: {{- with $proxy.ingress.spec }} {{- toYaml . | nindent 2 }} {{- end }} tls: - hosts: {{- range $publicAddr }} - {{ quote . }} {{- end }} {{- if $proxy.highAvailability.certManager.enabled }} secretName: teleport-tls {{- else if $proxy.tls.existingSecretName }} secretName: {{ $proxy.tls.existingSecretName }} {{- end }} rules: {{- range $publicAddr }} - host: {{ quote . }} http: paths: - path: / pathType: Prefix backend: service: name: {{ $.Release.Name }} port: number: 443 {{- end }} {{- end }}